Transcript Just Enough Admin
There is a tsunami of bad heading our way
Michael Hayden Four star general Director of the NSA Director of the CIA Director of National Intelligence
Edward Snowden Age 30 College dropout
Admins have the keys to the kingdom
You’re an Admin PWNED!!!
Hunting and Hacking System Administrators “Who better to target than the person that already has the ‘keys to the kingdom’?”
PS> Enter-PSSession Server1 FAIL! – Talk to your supervisor for assistance “Jeffrey I need to be admin on Server1 to restart SQL” PS> Enter-JeaSession Server1 –Name Maintenance Server1> Restart-Service MSSQLSERVER Server1> Steal-Secrets Error: You are not authorized to Steal-Secrets “No Eddie.
Just use Jea and connect to the ‘Maintenance EndPoint” Server1
JeaToolkit JeaEndPoint JeaEndPointAccount
JeaEndpointAccounts puts the server in a blast container Avoid domain accounts and Group Managed Service Accounts [GMSA] because they extend any breach to all servers that these accounts have access to
Configuration { foreach ( FileServers $node in Get-FileServers ) { Node $node { Module JeaToolkit { StorageTools CommandSpecs = @' Storage SMBShare '@ } JeaEndpoint { ToolKit StorageAdmin SecurityDescriptorSddl } } } } = = 'StorageTools‘ 'O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)' FileServers -OutputPath Start-DscConfiguration .
.\FileServers -ComputerName ( Get-StorageServers )
JeaToolkit { Name SQLMaintenace = ‘SQLMaintenance’ CommandSpecs = @' Module,Name,Parameter,ValidateSet,ValidatePattern SQL,GET-* ,Get-Process ,Get-Service ,Stop-Process,Name,calc;notepad ,Restart-Service,Name,,^SQL '@ }
JeaToolkit { Name SQLMaintenace CommandSpecs = "SQLMaintenace" = cat .\SQL.csv -raw }
command visibility
Command visibility
proxies
proxies
$cmd = Get-Command Stop-Process $MetaData = New-Object System.Management.Automation.
CommandMetaData $cmd $MetaData.
Parameters.Remove("ID") $metaData.Parameters.
Name.Attributes
.Add((New-Object ` System.Management.Automation.
ValidateSetAttribute ("notepad","calc") $MetaData.DefaultParameterSetName="Name“ ${Function:Stop-Process} = [System.Management.Automation.
ProxyCommand]::create ($MetaData) $cmd .Visibility = "private"
• • PowerShell Remoting connects to Configurations • • • • Name ACL StartupScript RunAsCredentials Get-Command *PSSessionConfiguration Server1
$cred = Get-Credential #Provide account w/local admin privs Register-PSSessionConfiguration ` -Name Maintenance` -ShowSecurityDescriptorUI ` -StartupScript c:\Jea\Initialize-Maintenance.ps1 ` -RunAsCredential $Cred Enter-PSSession -ComputerName Server1 ` -ConfigurationName Maintenance
$ExecutionContext.SessionState.LanguageMode = NoLanguage ConstrainedLanguage FullLanguage
$ss = $ExecutionContext.SessionState
$ss.Scripts.Clear() $ss.Applications.clear() $s.Applications.add("C:\windows\system32\calc.exe") (Get-Command restart-computer).visibility=“private” Always hide Invoke-Expression New-Object
Get-Module $Module | % {$_.LogPipelineExecutionDetails = $true}
$user = $PSSenderInfo. ConnectedUser Send-MailMessage –Message “$user on machine $(hostname)” $today = [DateTime]::NOW.DayofWeek
If ($today –in “Saturday”,”Sunday”) { throw “GO HOME”}
$myid = $ExecutionContext.host.Runspace.InstanceId
Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational where {$_.properties.Value -match "Runspace ID = $myid" } | foreach { New-Object PSObject –Property @{ Command = $_.Properties[2].Value Time = $_.TimeCreated
} } |
BlackHat 2010 Q: What do we do about all these attacks?
A: “Man up and defend yourselves!”
Jea – Just Enough Admin PowerShell role-based administration to secure a post-Snowden world
For More Information
Windows Server 2012 R2 http://technet.microsoft.com/en-US/evalcenter/dn205286 System Center 2012 R2 http://technet.microsoft.com/en-US/evalcenter/dn205295 Azure Pack http://www.microsoft.com/en-us/server cloud/products/windows-azure-pack Microsoft Azure http://azure.microsoft.com/en-us/ Come Visit Us in the Microsoft Solutions Experience!
Look for Datacenter and Infrastructure Management TechExpo Level 1 Hall CD
http://channel9.msdn.com/Events/TechEd www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn